With an average of around two million daily users, along with approximately 7,000 relay nodes, Tor represents the most popularly used anonymity system that evolved from a mere scientific concept to a tool used every day in the real world. Tor is designed to protect the privacy of users online via separating the origin of each connection from its destination via onion-encrypted circuits. This process cannot differentiate between honest use cases, like bypassing censorship, and illegal or malicious actions, as it promotes the anonymity of both groups similarly. Even though legal entities are motivated in deanonymization to track criminal activities, censoring entities can utilize the same techniques to detect the origin of unwanted content or websites, in order to censor the dissemination of information.
The presence of successful Tor deanonymization attacks is greatly impactful, due to its widespread uses. A recently published paper focused on passive traffic analysis attacks, which represent a concern to members of the Tor community. Passive traffic analysis attacks deanonymize users via correlating transmission between the entry and exit nodes of onion circuits. Previous studies have shown that an autonomous system (AS)-level adversary can launch successful confirmation attacks, correlating the features of transmitted data to detect connections across the network.
What is DigesTor?
DigesTor is an evaluation framework that is developed to guarantee the comparability for current, recent, and future passive traffic analysis attacks, via a design that combines the strengths of real-world and simulated evaluation. DigesTor’s framework runs a special form of virtual private Tor networking that can generate traffic for various representative scenarios throughout which arbitrary attacks can be closely evaluated. The network utilizes virtual machines that have individual CPU cores for each network node, so realistic traffic can be transmitted throughout the actual network stack. Realistic network conditions are simulated via intermediate links using traffic shaping with parameters from empirical measurements obtained from the live Tor network. This experimental design boosts realism in simulated environments with artificial traffic generation, which promotes realistic link models and complies with the ethical guidelines established for Tor research.
DigesTor showcases a unique group of state-of-the-art attack techniques that were evaluated using the researcher framework. As a seed for future research studies, the analysis provided by this research presents a first performance comparison of various existing attacks regarding their deanonymization capabilities. Moreover, DigesTor can be utilized to analyze low latency mixing as a possible countermeasure to various forms of passive traffic analysis attacks. Results of experiments conducted have proven that mixing can deter confirmation attacks, as a limited performance overhead only.
Uses of DigesTor:
Experimentation with DigeTor provides a comparative overview of various attack metrics and metadata features. The following represents uses of DigesTor:
- Trace Corpus. The trace corpus serves as standard topologies and application frameworks. DigesTor can be used to analyze generic passive attacks without imposing any harm on users browsing the live network. Moreover, this supports the comparison of yielded results.
- Attacks. The traffic analysis framework offers a representative group of metrics that can be further extended by new attack metrics and metadata features. This permits comparing new approaches with the success of current work.
- Defenses. Following on the footsteps of usage of mixing as a countermeasure, future defensive research studies can utilize the performance comparison to analyze the impact of novel countermeasures.
What are the limitations to usage of DigesTor?
For the use case scenarios, developers of DigesTor simulate real user behavior via simple models, e.g., via randomized web requests to a limited group of sites or random download patterns. This is not fully representative of the user behavior that characterizes the traffic patterns in a real-world network usage scenario. When end-to-end confirmation attacks are considered, a match between client and server traces represents the primary interest. Additional user models for the experimental setup in a future revision of DigesTor will help produce more realistic scenarios, yet it is not necessary for the technical evaluation of attacks.
DigesTor offers two core features:
1- Generating first traffic analysis corpus of this kind that can support the comparability of future experimental research.
2- Establishing a Traffic Analysis Framework, which implements a group of recent deanonymization attack techniques for comparative performance analysis. To demonstrate the innovative benefits of DigesTor, its developers analyzed mixing as a potential countermeasure to deter passive traffic analysis attacks. Results of the researchers’ experiments indicate that mixing, reduces the success rate of otherwise successful confirmation attacks.